Hi, This is my first post. How's it going?
I managed to get OpenSSL 0.9.8g and Apache/2.2.12 working together, but I never defined what cipher rules I want to allow. Unfortunately, I cannot figure out a single way for apache2ctl to tell me what ciphers apache is using. Not what it supports, but what it is currently allowing when clients use https://. It sounds a bit like a user question, but if it is not implemented, I wanted to toss the idea around with a few devs here. The reason is I'm worried that it's allowing 40-bit encryption, and I would like to see actual verification from Apache whether or not my current setup is allowing it. Later, I will want to disable AES > 128-bits, once I get an idea of which ciphers it's hosting. (See http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html for more info) Another problem I found (I'm not whining or cracking a whip), is that the apache2 docs don't even mention AES in them, which makes me think that the allowable CipherSuite stuff documented is about 10 years out of date. Does anyone have any advice for me? Thank you. -- smu johnson <smujohn...@gmail.com>
